MFC 874b1a35486b570513680c3d456b062ba097e1d9:

ipfilter: simplify ipf_proxy_check() return codes

ipf_proxy_check() returns -1 for an error and 0 or 1 for success.
ipf_proxy_check()'s callers check for error and if the return code
is 0, they change it to 1 prior to returning to their callers. Simply
by returning -1 or 1 we reduce complexity and cycles burned changing
0 to 1.

(cherry picked from commit 874b1a35486b570513680c3d456b062ba097e1d9)

Git Hash: f4722627bce29607179fa566c620cdda13fd96df
Git Author: cy@FreeBSD.org

MFC 57785538c6e0d7e8ca0f161ab95bae10fd304047 and
1e811efbc591699b872bea42b9de419c373199df:

57785538c6e0d7e8ca0f161ab95bae10fd304047)

Simplify the FreeBSD check using __FreeBSD__ compiler macro.

Rather than rely on __FreeBSD_version, defined in sys/param.h, use
__FreeBSD__ defined by the compiler.

Reported by: emaste
MFC after: 1 week

(cherry picked from commit 57785538c6e0d7e8ca0f161ab95bae10fd304047)

1e811efbc591699b872bea42b9de419c373199df:

Fix non-IPv6 build post 57785538c6e0d7e8ca0f161ab95bae10fd304047.

57785538c6e0d7e8ca0f161ab95bae10fd304047 change the test for FreeBSD
from __FreeBSD_version to __FreeBSD__. However this test was performed
before sys/param.h was included, therefore __FreeBSD_version was never
defined. As the test was never true opt_random_ip_id.h was never included.

Submitted by: bdragon
Reported by: bdragon

(cherry picked from commit 1e811efbc591699b872bea42b9de419c373199df)

Git Hash: 62607e8680e944f89cd7b5b7bca10698c66908b2
Git Author: cy@FreeBSD.org

MFC 0f34c80f376345b98a972940dd4757e58d7beb06:

Replace the redundant MENTAT macro with SOLARIS.

MENTAT and SOLARIS are synonymous. Remove the extraneous duplicate
macro.

(cherry picked from commit 0f34c80f376345b98a972940dd4757e58d7beb06)

Git Hash: 8d6da0aae1c4ca288537c9875eaed1f65988e51f
Git Author: cy@FreeBSD.org

MFC 4cd1807c7d2a67b633dd0c0bfde15091543a2514:

Retire the K&R/STD C __P prototype declarations.

In the old days when K&R C and STD C were each in use a workaround
(read hack) was required to allow the same code to work on each
without modification. All C compilers support STD C. We can finally
put the __P prototype to rest.

(cherry picked from commit 4cd1807c7d2a67b633dd0c0bfde15091543a2514)

Git Hash: 0c7a33852aa5cd28a9d9b19b8f8034d60a9cb50f
Git Author: cy@FreeBSD.org

MFC r366287:

Continued ipfilter #ifdef cleanup. The r343701 log entry contains a
complete description.

MFC r358560:

Retire macros:

BSD_GE_YEAR
BSD_GT_YEAR
BSD_LT_YEAR

MFC r351563:

Document ipf_nat_hashtab_add() return codes.

MFC r351562:

Destroy the mutex in case of error.

Obtained from: NetBSD ip_nat.c r1.7

MFC r351561:

Fixup typo in comment.

Obtained from: NetBSD ip_nat.c r1.7

MFC r343701 & r343732:

ipfilter #ifdef cleanup.

Remove #ifdefs for ancient and irrelevant operating systems from
ipfilter.

When ipfilter was written the UNIX and UNIX-like systems in use
were diverse and plentiful. IRIX, Tru64 (OSF/1) don't exist any
more. OpenBSD removed ipfilter shortly after the first time the
ipfilter license terms changed in the early 2000's. ipfilter on AIX,
HP/UX, and Linux never really caught on. Removal of code for operating
systems that ipfilter will never run on again will simplify the code
making it easier to fix bugs, complete partially implemented features,
and extend ipfilter.

Unsupported previous version FreeBSD code and some older NetBSD code
has also been removed.

What remains is supported FreeBSD, NetBSD, and illumos. FreeBSD and
NetBSD have collaborated exchanging patches, while illumos has expressed
willingness to have their ipfilter updated to 5.1.2, provided their
zone-specific updates to their ipfilter are merged (which are of interest
to FreeBSD to allow control of ipfilters in jails from the global zone).

Reviewed by: glebius@
Differential Revision: https://reviews.freebsd.org/D19006

MFC r343591:

Do not obtain an already held read lock. This causes a witness panic when
ipfs is invoked. This is the second of two panics resolving PR 235110.

PR: 235110
Reported by: David.Boyd49@twc.com

MFC r338047:

The bucket index is subtracted by one at lines 2304 and 2314. When 0 it
becomes -1, except these are unsigned integers, so they become very large
numbers. Thus are always larger than the maximum bucket; the hash table
insertion fails causing NAT to fail.

This commit ensures that if the index is already zero it is not reduced
prior to insertion into the hash table.

PR: 208566

MFC r338046:

Add handy DTrace probes useful in diagnosing NAT issues. DTrace probes
are situated next to error counters and/or in one instance prior to the
-1 return from various functions. This was useful in diagnosis of
PR/208566 and will be handy in the future diagnosing NAT failures.

PR: 208566

MFC r338045:

Expose np (nat_t - an entry in the nat table structure) in the DTrace
probe when nat fails (label badnat). This is useful in diagnosing
failed NAT issues and was used in PR/208566.

PR: 208566

MFC r337558, r337560

r337558:
Identify the return value (rval) that led to the IPv4 NAT failure
in ipf_nat_checkout() and report it in the frb_natv4out and frb_natv4in
dtrace probes.

This is currently being used to diagnose NAT failures in PR/208566. It's
rather handy so this commit makes it available for future diagnosis and
debugging efforts.

PR: 208566

r337560:
Correct a comment. Should have been detected by ipf_nat_in() not
ipf_nat_out().

MFC r323945 and 323962

Fix misspellings, typos and /* border misalignments.

MFC r322073:

Fix matchcing of NATed ICMP queries (resolving NATed MTU discovery).

MFC r318745:

Remove redundant variable declaration.

MFC r312886:

Fix lookup of original destination address when using a redirect rule.
Transparent proxying, e.g. to squid, is an example of this.

Obtained from: NetBSD ip_nat.c r1.17, ip_nat6.c r1.10

Copy head@r302406 to stable/11 as part of the 11.0-RELEASE cycle.
Prune svn:mergeinfo from the new branch, as nothing has been merged
here.

Additional commits post-branch will follow.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Remove unused global variables as well as unused memory
allocations from ipfilter in preparation for VNET support.

Suggested by: cy (see D7000)
Sponsored by: The FreeBSD Foundation
MFC after: 2 weeks
Approved by: re (gjb)

Correct __FreeBSD__ check.

MFC after: 3 days

Don't assume checksums will be calculated later when fastfoward is
enabled (by default in r290383).

PR: 72210
MFC after: 1 week

Compare the newly allocated array elements to NULL in order to see
if the malloc succeeded.

Spotted by: reading kernel compile time log
MFC after: 2 weeks

o Use new function ip_fillid() in all places throughout the kernel,
where we want to create a new IP datagram.
o Add support for RFC6864, which allows to set IP ID for atomic IP
datagrams to any value, to improve performance. The behaviour is
controlled by net.inet.ip.rfc6864 sysctl knob, which is enabled by
default.
o In case if we generate IP ID, use counter(9) to improve performance.
o Gather all code related to IP ID into ip_id.c.

Differential Revision: https://reviews.freebsd.org/D2177
Reviewed by: adrian, cy, rpaulo
Tested by: Emeric POUPON <emeric.poupon stormshield.eu>
Sponsored by: Netflix
Sponsored by: Nginx, Inc.
Relnotes: yes

ipfilter bug #537 NAT rules with sticky have incorrect hostmap IP address.
This fixes when an IP address mapping is put in the hostmap table for
sticky NAT rules, it ends up having the wrong byte order.

Obtained from: ipfilter CVS repo (r1.102), NetBSD CVS repo (r1.12)

Update ipfilter 4.1.28 --> 5.1.2.

Approved by: glebius (mentor)
BSD Licensed by: Darren Reed <darrenr@reed.wattle.id.au> (author)

Add hierarchical jails. A jail may further virtualize its environment
by creating a child jail, which is visible to that jail and to any
parent jails. Child jails may be restricted more than their parents,
but never less. Jail names reflect this hierarchy, being MIB-style
dot-separated strings.

Every thread now points to a jail, the default being prison0, which
contains information about the physical system. Prison0's root
directory is the same as rootvnode; its hostname is the same as the
global hostname, and its securelevel replaces the global securelevel.
Note that the variable "securelevel" has actually gone away, which
should not cause any problems for code that properly uses
securelevel_gt() and securelevel_ge().

Some jail-related permissions that were kept in global variables and
set via sysctls are now per-jail settings. The sysctls still exist for
backward compatibility, used only by the now-deprecated jail(2) system
call.

Approved by: bz (mentor)

2020447 IPFilter's NAT can undo name server random port selection
(fix output port range, was a random number in [0,max-min]
(byteswapped on litle endian), instead of [min,max])

Submitted by: darrenr

2020447 IPFilter's NAT can undo name server random port selection

Approved by: darrenr
MFC after: 1 week
Security: CERT VU#521769

Apply a few changes from ipfilter-current:
* Do not hold any locks over calls to copyin/copyout.
* Clean up some #ifdefs
* fix a possible mbuf leak when NAT fails on policy routed packets

PR: 117216

Pullup IPFilter 4.1.28 from the vendor branch into HEAD.

MFC after: 7 days

Merge IPFilter 4.1.23 back to HEAD
See src/contrib/ipfilter/HISTORY for details of changes since 4.1.13

Resolve conflicts

MFC after: 2 weeks

Resolve conflicts

- Comment out duplicate rcsid strings in *.c files
- Move SIOCPROXY from ip_nat.h to ip_proxy.h and fix ip_proxy.h so that it
can be easily compiled into kdump, et al.

Merge the changes from 3.4.35 to 4.1.8 into the kernel source tree

Make ip_nat compile again. Should read #if->n<-def LARGE_NAT as in ipf 4.x

Move two variables that are unused if LARGE_NAT is defined inside an #ifdef
to keep them out of harms way when compiling.

PR: 72783

Allow ipnat redirect rules to work for non-TCP/UDP packets.

PR: 70038
Submitted by: fming@borderware.com
Reviewed by: darrenr
Obtained from: fming@borderware.com

Update ipfilter from 3.4.31 -> 3.4.35. Some important changes:
* block packets that fail to create state table entries
* only allow non-fragmented packets to influence whether or not a logged
packet is the same as the one logged before.
* correct the ICMP packet checksum fixing up when processing ICMP errors for NAT
* implement a maximum for the number of entries in the NAT table (NAT_TABLE_MAX
and ipf_nattable_max)
* frsynclist() wasn't paying attention to all the places where interface
names are, like it should.
* fix comparing ICMP packets with established TCP state where only 8 bytes
of header are returned in the ICMP error.

MFC after: 1 week

Commit import changed from vendor branch of ipfilter to -current head

Finally merge in the changes from ipfilter 3.4.29 to freebsd-current.
Main changes here are related to the ftp proxy and making that work better.

Commit changes that happened in IPFilter versions 3.4.27 - 3.4.28

Merge updates from 3.4.26 - 3.4.27.

bring in changes from 3.4.26.

fix conflicts (mostly damn rcs id's) generated by import

Backout inclusion of queue.h since rev 1.38 sys/file.h now has it
included in the right order.

Include sys/_lock.h and sys/_mutex.h to reduce namespace pollution.

Requested by: jhb

Import this patch to address user concerns.

PR: 27615
Submitted by: Andria Thomas <andria@tovaris.com>
Approved by: Me.
MFC after: 7 days

Fix initialisation of struct nat entry, to solve a panic that occurs
when reloading a nat table after reboot

Submitted by: Arjan de Vet <devet@devet.org>
Reviewed by: IP Filter mailing list
MFC after: 3 days

fix conflicts created by import

fix security hole created by fragment cache

fix duplicate rcsid

fix conflicts

Fix conflicts creted by import.

fix conflicts from rcsids

resolve conflicts

fix conflicts

fix up conflicts

fix conflicts

fix conflicts

Re add rev 1.11 diffs to ip_fil.h Also discover that I did not undefine
CVS_FUBAR (which no longer exists) and thus forgot to add $FreeBSD's.
Add them.

Approved by: jkh (is part of ipfilter upgrade)

Bring over ipfilter v3_3_8 kernel sources, including merging the
local modifications.
Also fix initializing fr_running in KLD case.
Rename ipl_inited to fr_runninhg in mlfk_ipl

Approved by: jkh

Bring over ipfilter kernel sources, including merging the local modifications.

KERNEL -> _KERNEL

Add kernel parts of revived ipfilter (3.3.3.)